Random Image
Announcing the Gallery bounty program!
Submitted by ckdake on Fri, 2007-08-03 04:44
The Gallery team is very excited to announce a new bounty program, where we pay you for helping us out by finding security problems in Gallery products or by contributing code. Additionally, you can pitch in to the fund to reward people that fix bugs or write features you want to see fixed or implemented! We're pledging $5000 to get this started, and you can start contributing right now! Read on for the details of this program.
Security Bounties
We're offering a substantial amount of money for responsibly reporting security issues to us. To get the bounty, the security issue must be reported to security@gallery.menalto.com and must not be made public until a fix is available from us on the official Gallery website. The security issue must be valid on the latest release of Gallery 2. Critical problems that require an immediate fix will be worth $1000 and smaller amounts will be paid out for moderate ($400), uncritical ($200), and trivial problems ($100). If we are already aware of an issue, you won't receive the full bounty but will still be credited with finding it independently (and may, at our discretion, receive some of the bounty amount). Understandably, known security issues aren't listed publicly until they are fixed and not all security issues are serious enough to require an immediate fix. We have a long history of collaborating with security researchers and are convinced that trust will not be an issue.
Feature and Bug Bounties
You can also make money fixing bugs or writing code! This one is a little more complicated, but the outcome is similar. We'll pay you to write features or fix bugs that have been voted into the "top feature requests" list. The #1 open item is worth $500, #2 $400, #3 $300, and the rest of the top 10 are worth $250. However, this isn't as easy as it sounds, there are a few requirements:
- You must get approval from us before starting on your work. This is both to claim the item (we won't let other developers sign up for the bounty until you give up or disappear) and make sure that the goals are well defined. Some of the RFEs aren't very specific and we'll mutually agree on a set of deliverables before you get started. To get the bounty, your code must meet the spirit of the request (with the majority of the core team approving).
- You should work in the open. We'll need to see progress for you to keep the bounty assigned to you, and code developed without feedback from the team will be sent back without detailed review if it doesn't look or feel right. This sounds subjective and is! We'll help you out if you work in the open, and you'll get the money as long as you do a significant amount of the work.
- Your work must meet our coding standards and include unit tests. This isn't hard, but working in the open and getting continual feedback from us will likely be important! It must be accepted into Gallery SVN trunk (or gallery-contrib if the code is for Gallery 2 and the majority of the core team approves), the copyright must be assigned to us (as with all of our contributed code), and the code must be licensed with the GPL.
Getting and giving money
E-mail bounties@gallery.menalto.com to either donate or sign up for a bounty. (Security reports always go to security@gallery.menalto.com) If you would like to donate to a specific RFE just make a donation with one of the usual methods and forward a copy of your donation confirmation and let us know what RFE you're donating towards. Initially, 50% of your donation will go to the winner of the bounty and 50% will be treated as a regular donation. Once the total amount of donations received matches our initial contribution to that particular item, 25% of your donation will go to the winner of the bounty and 75% will go to the general fund. Additionally, recipients of a bounty don't have to accept any or all of it! They are welcome to privately (only known to the person on our team that manages our finances) or publicly (news announcement!) accept or refuse all or part of the bounty. Once our initial $5000 commitment is gone, we will likely put more money into the program and make an announcement indicating this.
Additional details will be posted on the Gallery Bounties Page as we write them up and answer questions.
Obviously, this means that either 50% or 25% (depending on the above conditions) will go to the person who fixes the bug/implements the feature request. What happens to the other 50% or 75% is a little confusing to me. Is it treated as a regular donation to *gallery*? Or is it added to the slush fund that was created for security/bug fixes/rfe bounties?
_________________________________
Support & Documentation || Donate to Gallery || My Website
The other 50% or 75% is treated as a regular donation to Gallery. If it makes you feel better, you can consider it going into the pool that funds the $5k we're putting in to bounties, but it's all one account!
--
http://ckdake.com/
If you found my help useful, please consider donating to Gallery.
What do you mean? That development of features in the "top 10" isn't a certainty? For example, sometimes someone adds a feature that is not in the top 10? or is 8th in the list instead of 1st?
Or do you mean that who ever picks up the request to complete it might not do a good job?
_________________________________
Support & Documentation || Donate to Gallery || My Website
Hi, fryfrog.
No, I do not mean what you mention. I mean the volume of work could vary quite in each request. That is the "uncertain" I referred to.
Of course, the top list is a certainty and of course the good job that always is made in Gallery.
You're getting paid but half goes back to the website owners?
I like the concept, I don't feel qualified, but aplaude the initiative. Developers do too have to live, so it's realistic to put some money down for contributors.
Martin
No, the person who gets the bounty gets all of it.
It is the person *donating* who is giving 25% or 50% to a specific bounty and 75% or 50% to the gallery project's regular old donations.
_________________________________
Support & Documentation || Donate to Gallery || My Website
Ups, sorry, now I got it.
Thanks Fryfrog for clarifying it to me.
Martin
-------------------------
There's a horse sticking its head in our kitchen window, isn't there?
I must say this really is good for trust. You're letting people know you are serious when it comes to security. Many OS-Projects lack good security, that's the main reason why i don't like uploading work of others.
Gallery is one of the few i trust.
Signature____________
Visit my module development tutorials at Combined-Minds.net
Of course, this true ;)
__
Great initiative. We design a lot of sites using Joomla and Drupal, but so far I haven't seen this solution to fix bugs and get to high security standards.
Thumbs up!
-------------------
Jhorst - Lenen